IBM Support

QRadar: How to check QRadar is using default Certificates, HTTPD Certificates or Custom self signed SSL HTTPD certificates

Question & Answer


Question

How to check QRadar is using default certificates, HTTPd certificates or Custom self-signed SSL HTTPd certificates.

Cause

QRadar® can use custom HTTP certificates (self-signed, internal CA signed, public CA/intermediate CA signed) OR Local CA.

Answer

Certificate details can be verified through an SSH session on the Console or by accessing the QRadar Console GUI from a web browser.
 
  1. SSH to the QRadar Console Server as the root user.
  2. Verify what type of certificate QRadar is using, by running the following command.
    openssl x509 -in /etc/httpd/conf/certs/cert.cert -text | grep -i issuer
    In the output of the command, verify the Issuer field. If the value of the field is QRadar Local CA then the certificate was generated by the local CA.
    Output Example:
    Issuer: CN=QRadar Local CA

    In the following output, you can see the Issuer filed is CN= Digicert. If the value of the Issuer field is not QRadar Local CA, then the certificate was not generated by the local CA. These certificates are custom self-signed SSL certificates and generated by other CA.
    openssl x509 -in /etc/httpd/conf/certs/cert.cert -text | grep -i issuer
    Issuer: C=US, O=DigiCert Inc, CN=DigiCert 
            CA Issuers - URI:http://XX.com/DiXX.crt
Using a browser to verify the QRadar Console GUI.
NOTE: The steps to check the certificate details, depends on the browser and the browser's version. Irrespective of the browser and its version, if the certificate is issued by QRadar Local CA, it is NOT a custom certificate. These steps are relevant only after the QRadar Console GUI is accessed by using the respective browser (so that the HTTPS protocol is used).
  1. For Mozilla™ Firefox™, refer to this link. Check for the field Issuer Name. If it states Common Name: QRadar Local CA, then that certificate was generated by using the local CA. If the Common Name is different, then the certificate is a custom certificate.
     
  2. For Google® Chrome, click the padlock icon to the left of the QRadar GUI URL, then click Certificate. Under the General tab, check the Issued by field. If that field has the value, QRadar Local CA then it is not a custom certificate but was issued by the QRadar local CA.

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
15 August 2023

UID

ibm16507321